Cisco Firewall :: ASA 5505 - Unable To Access Certain Ports Over Site To Site VPN

Jan 16, 2013

We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
 
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \192.168.1.120 from a 192.168.2.x machine).
 
I got 3389 working after I changed the - ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
 
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
 
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
  
Building configuration...
  
Current configuration : 23648 bytes
!
version 12.4
no service pad

[Code].....

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5510 / 5505 - Site-to-site VPN One Way Access

Dec 12, 2011

We have a Cisco ASA 5510 at our main office that makes connection with a 5505 at our other office using site to site VPN. (works)
 
Now for the question,
 
we want to access our other office from the main office but we wont want them to have access to our servers etc. so basically we want to control them but they shouldn't have the rights to control us.

Is this possible with a site to site VPN? and how to do it.

View 7 Replies View Related

Cisco VPN :: 2901 / 2921 / 5505 ASA - Router Versus Firewall Site To Site VPN?

May 30, 2013

I would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.
 
1) what is the different to build site to site VPN between router and firewall ?

2) which is the best choice if using in site to site VPN connection ? 

View 9 Replies View Related

Cisco Firewall :: ASA 5505 / Site To Site VPN Using Public Addresses On Local Network

Jul 28, 2011

I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
 
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.

View 5 Replies View Related

Cisco Firewall :: ASA 5505 Site To Site RTP Traffic Is Hitting Deny All Rule?

Aug 13, 2012

Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.

Currently the rules are as follows
 
 Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny

 [code].....
 
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 Site To Site VPN Route From Multiple LANs?

Dec 19, 2012

I've set up a standard site-to-site VPN between 2 ASA 5505s and the VPN is working fine for traffic between these ASAs and computers which are in the same LANs.but when I'm trying to connect to computers which are in another VLAN I have a problem.

View 1 Replies View Related

Cisco VPN :: Site To Site VPN IPSEC Tunnel From ASA 5505 To Clavister Firewall

Nov 20, 2012

I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: [code]
 
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505. [code]
 
All these remote networks are at the Main Site Clavister Firewall.

View 1 Replies View Related

Cisco Firewall :: Max Number Of Clients And Site To Site VPN Tunnels On ASA 5505

Aug 15, 2012

I wanted to know the maximum VPN client sessions (using the Cisco VPN  client) and Site-to-Site VPN tunnels that I can connect to my ASA 5505  simultaneously.
 
In other words, if I have x VPN clients and y Site-to-Site  tunnels, at any time, does x + y have to be <= 10 (Total VPN Peers)?  If yes, can I upgrade to the security plus license to increase the Total VPN Peers to 25?

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
[Code]...

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Setup A Site To Site Tunnel?

Nov 13, 2012

I have a 5505 asa code version 8.3(2). Trying to set up a site to site tunnel with someone and he is asking if I can use ike v2. How do I go about setting up the tunnel to use ikev2? Is ikev2 an option with site to site tunnels?

View 5 Replies View Related

Cisco Firewall :: Site-to-Site VPN Between ASA 5510 And 5505 Configuration

Apr 18, 2013

I am not very experienced with Cisco networking.

Here is the situation.
 
Site A - headquarters 192.168.1.x
Site B - remote office 192.168.20.x
Site C - remote office 192.168.30.x
 
Site A - ASA 5510
Site B - ASA 5505
Site C - ASA 5505
 
Site-to-site VPN is established and works between A and B, A and C. Users would like to establish a tunnel between B and C to work on a common project and the data is on Site B.
 
I tried configuring the S2S VPN with pre-shared keys on both firewalls at sites B and C but in the end it is not established (I cannot ping either side). I used the Wizard interface multiple times and one time the CLI. I generally followed the settings chosen between the headquarter and the individual remote sites and tried to replicate them. Obviously I have made a mistake somewhere.
 
Could there be any limitation on the ASA 5505 in terms of licensing and the number of S2S tunnels?

View 7 Replies View Related

Cisco Firewall :: Site To Site VPN Between PIX515 And ASA 5505 With Dual ISP?

Apr 13, 2011

We have got site to site VPN configured between local site with PIX515 6.3(5) and remote site with ASA 5505 7.2(4) . Because of very unreliable internet connection in remote site , we have added new ISP link  which we want to use as redundant link .i understand ASA 5505 can be configured with two ISP link with SLA monitor method for redundancy as per this document ,[URL]
 
my question is how do i set up this pix 515 to have redundant VPN tunnel with remote site (when primiary ISP link fails in remote site and  secondary ISP links takes over ) .  I was thinking of using   PIX 515 with 2 peers in same crypto map used for that sepcific site to site vpn tunnel,not sure that is the right way or not though.But how would i configure ASA 5505 to use backup interface(where secondar isp router conects ) to particitae in Site to site Tunnel .

View 4 Replies View Related

Cisco Firewall :: ASA 5505 Site-to-Site With UC540 Routing?

Dec 4, 2012

We are setting up a new phone system using the UC540 with a VPN connection between 2 buildings using 2 Cisco ASA 5505's at either end.The problem I am having is getting the phones at the remote site to connect to the UC540 at the main site.
 
Phones/Computers (10.0.1.0/24) -- ASA -------------VPN Tunnel------------- ASA -- UC540 -----------Data Vlan1 (10.0.0.0/24)
|------Voice Vlan100 (10.1.1.0/24)
 
What i am told by UC500 support is that the phones at the remote site will connect if they have connectivity to the TFTP subnet on the UC540, which is 10.1.10.0/30 I added the static route on the ASA and I can ping the 10.1.10.1 TFTP server on the UC540 from the ASA, but not for any other device on the 10.0.0.0/24 network, such as the DC.  I added the static route there and was able to ping, so something in the ASA seems to be preventing it. 
 
I also can't seem to get the ASA at the remote site to ping 10.1.10.1.  I've tried adding the static route there in hopes it would forward it through the VPN tunnel.

View 1 Replies View Related

Cisco VPN :: ASA 5505 Site-to-site And Limiting Access?

Mar 27, 2011

I'm going to confess limited knowledge up front, so forgive me if I sound like an idiot.  The company I work for has recently started hosting our application for some of our clients; to do this, we are leasing rack space, connections, and hardware in a data center.  We need to send data from our application to an application in our client's data center.  They have an ASA 5505.
 
Our data center will support site-to-site VPN and nothing else.  Our client finds this unacceptable, citing security and the inability to restrict access to only the small number of servers our application needs to access.  I need to be able to discuss this intelligently and with facts (and, preferably, configuration examples on hand) with their CIO and network staff in the next day or so.
 
Can the ASA 5505 be configured for a site-to-site VPM with our data center that restricts our application server to accessing a limited set of IP addresses within their network?  If so, can this be accomplished reasonably easily? 

View 4 Replies View Related

Cisco Firewall :: ASA 5505 Site To Site VPN Keep Dropping?

Feb 1, 2012

I have an issue with my site to site VPN. I have 4 sites connected  to my main HQ site via Cisco ASAs 5505 firewalls. The problem is that once and then the sites disconnected from my main site. This disconnection is not happening at the same time for the the 4 sites. For example, it might be different site each time disconnected.

View 7 Replies View Related

Cisco Firewall :: Site To Site VPN Configured On ASA 5505

Dec 2, 2012

I have a site to site VPN configured on a asa5505. The tunnel is up and the interesting traffic is successfully being encrypted. The issue is that when inbound traffic originating from a subnet outside of the encrypted range destin to the subnet within the encrypted range, the return traffic is sent into the tunnel and obviously fails.When traffic from 1.1.1.0/24 to 10.2.2.0/24 traverse the firewall the return traffic goes into the tunnel but it doesn't have the correct match parameters?Am I missing something?  I'm expecting that only traffic matching the crypto map will use the tunnel and all other traffic will utilize the default route.

View 3 Replies View Related

Cisco VPN :: Configure A Site-to-Site VPN In ASA 5505 Firewall

Dec 13, 2010

I'm trying to configure a Site-to-Site VPN in a Cisco ASA 5505 firewall which is behind an ISP router (Cisco 800 Series) configured in routing mode (not bridging) and with a static nat of all the ports to the firewall (avoiding bridging mode of the router). [code]

View 12 Replies View Related

Cisco VPN :: Site To Site With ASA 5505 And Sonic Firewall

Aug 27, 2009

I'm trying to establish a vpn tunnel with a sonic firewall.  We've checked both ends for differences and they are the same.  PFS has been disabled on both ends.  I'm seeing this in the logs.
 
%ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
%ASA-5-713068: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)

[Code].....

View 4 Replies View Related

Cisco VPN :: 5505 - Site To Site Connected But Cannot Ping Remote Site

Oct 11, 2011

cisco products and am struggling getting a VPN going between an ASA 5505 and 5510.  I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).

View 11 Replies View Related

Cisco VPN :: ASA 5505 Site-to-site VPN Access

Feb 22, 2011

I’m relatively new to ASA & issue I’m having with a site-to-site VPN connection between two ASA 5505.I’ve configured the ASA with ASDM and we only need it for site-to-site VPN.

The issue is that the tunnel is up and both sites can ping and traceroute each other and I can access the internal web interface of the two ASA from both sites  but other communication is failing like RDP (giving me 0x1104 protocol error) or any other form of network access such as network shares is failing.shouldn’t the tunnel allow all traffic to pass-through ?

So what possibly I’m doing wrong..., I know that this might be beyond the tunnel but what do you recommend me to do ? the HQ has network 192.168.10.0 and Branch has network 192.168.11.0 and we have Win server 2003 and ISA 2004 on HQ site and traffic going to 192.168.11.0 from HQ is routed to ASA by the default gateway (Win 2k3 SBS) and both networks are configured as local on Server, but even after eliminating server and isa by making ASA the default gateway of the network I’m getting the same resul [code]

View 8 Replies View Related

Cisco VPN :: ASA 5505 / Site To Site Vpn With One Site Always Initiate A Tunnel?

Feb 7, 2011

I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.

View 3 Replies View Related

Cisco VPN :: ASA 5505 Site To Site Connection / Remote Site?

Mar 6, 2011

i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?

View 1 Replies View Related

Cisco VPN :: Unable To Connect Between Remote Site And Access ASA 5505

Jan 30, 2013

I am having issue with network connectivity between remote access (RA) VPN users and remote site VPN hosts.
 
Topology is:
RA VPN laptop (192.168.200.3 /24) ---- internet ---- Head Office (ASA5505) -- LAN subnet 10.0.0.0 /24
 
SiteB (10.0.10.0 /24) ---- internet ----- Head Office (ASA5505) ---- LAN subnet 10.0.0.0 /24
 
From head office there is no issue communicating with RA VPN and siteB hosts but Site B hosts and RA VPN users can not communicate each other totally (ping failed too).
 
Site B is using Cisco 867 router with IPSEC VPN to the ASA5505 at head office. I have added the ACL on this router to access 192.168.200.x /24 for VPN traffic and exempt from NATing. When I enabled ' drop log' in the class-map in the Zone based firewall config, I could not see any ping packt comes in so I believe the issue is at ASA5505 config.
 
At ASA5505 I use split VPN tunnel ACL and have included the subnet for 10.0.10.0/24 as well as 192.168.200.0 /24. This split tunnel ACL are applied to both the IPSec VPN tunnel and also the RA VPN group policy. The ASA is using sw version 151-4.M5.

View 6 Replies View Related

Cisco Firewall :: ASA 5510 Identity NAT Configuration For Remote Access VPN And Site-to-Site

Mar 9, 2011

I am try to configure ASA 5510 with 8.3 IOS version.My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .

i want configure identity NAT for remote access VPN.Remote users IP pool is 10.10.10.0 to 10.10.10.10
 
i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).

View 6 Replies View Related

Cisco VPN :: 5510 Site To Site VPN Access To Servers With Overlapped Remote Site

May 18, 2012

I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO(192.168.10.0/24).My requirement is only  My remote site need to accees couple of my servers in HO which is in 192.168.200.0/24 subnet.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Allow Only One Host Access To VPN Site To Site Tunnel

May 28, 2012

I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host.  How can I set this up?

View 33 Replies View Related

Cisco VPN :: 5505 Connection To Mapped File Shared Dropping On A Site-to-Site VPN

Nov 27, 2011

We've just deployed a site-to-site VPN using a 5505 ASA on the client's site and a checkpoint Nokia FW on our site. Everything seems to be fine except that the user's connections to their file shares seem to be intermittently dropping. One minute the connection to the shares is there, next thing it's lost. There is no logic to it because no two users are experiencing issues at the same time, as a matter of fact even on the same PC where a user has access to 3 shares on 3 different servers, one could be showing as connected whereas the other two be dropping. [code]
 
As you can see the Duplex and Speed are set to auto, I've rectified this since then and I'm keeping a close eye on the output errors, and collisions. However, I'm afraid that this did not rectify the issue and the users are still experiencing intermittent connection dropping to their file shares over the VPN!

View 1 Replies View Related

Cisco :: ASA 5505 Site To Site RTP Traffic Is Hitting Deny All Rule?

Aug 14, 2012

Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.

Currently the rules are as follows

Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny

[code]....

It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.

View 3 Replies View Related

Cisco VPN :: Setup Site-to-Site Connection With 5505 ASA Using IPSec And Isakmp?

Aug 8, 2011

im drawing a blank trying to setup a site to site connection with a 5505 ASA using ipsec and isakmp.i have the pre shared key as well as the external address of the other end of the tunnel but do not remember what the commands are to setup the crypto map and isakmp.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5505 - Procedure For Monitoring Site-to-site VPN Tunnel?

Apr 30, 2012

Need to know the step by step procedure for monitoring site-to-site VPN tunnel (up/down) using SNMP on Cisco ASA 5505. 

View 1 Replies View Related

Cisco WAN :: 5505 Correct Site-to-site / SSLVPN Security Device

Dec 12, 2012

I have tried Cisco presales but got bounced - go Cisco !So, i have a small customer who requires a single device which will provide .....
 
1/ Leased Line connection @ 10mb
2/ ADSL failover onbox (so configurable from CLI, unlike the 860’s which I see only have one ‘active’ wan port)
3/ IOS based
4/ integrated 4 ports (min) switch
5/ site to site VPN
6/ up to 10 x SSLVPN remote users
 
I did pitch in with ASA5505 with external ADSL router but he is “space-constrained”.It worries me when Cisco doc's say only one WAN port is 'active' - since it doesn't say the second port automatically comes up if the first goes down so I can't take a gamble on that being the case.

View 3 Replies View Related

Cisco Routers :: Site-to-site VPN From SRP527W (dynamic IP) To ASA 5505 (Static)

Sep 6, 2011

I have an ASA5505 running which is on a static IP. I have just got an SRP527W for a remote worker and want to create a site-to-site VPN into the ASA. I have a number of other router of non-cisco brand which just all dial-in and connect no problem.
 
On other routers I have been abloe to specify the DDNS hostname in the VPN setup so that the ASA can identify it. I'm not sure how I setup the SRP527 to connect to the ASA.

View 3 Replies View Related

Cisco VPN :: ASA 5505 / Site 2 Site VPN With Backup Peer Not Able To Send Traffic

Mar 13, 2011

I have 2 ASA 5505 Firewall, I Configured Site 2 Site VPN no both the fitrewall, as i have a dual ISP, i am able to create the tunnel with primary but once my primary is down i am not able to create the tunnel with back up ISP. During the troobleshoothing by typing Show isakmp sa and Show ipsec sa, i can see my tunnel is up, but not able to decap the packets.
 
As it will look like
 
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0      #pkts compressed: 0, #pkts decompressed: 0      #pkts not compressed: 15, #pkts comp failed: 0, #pkts decomp failed: 0      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0      #send errors: 0, #recv errors: 0

View 4 Replies View Related

Cisco VPN :: ASA 5505 - Users Aren't Able To Reach Remote Network Through Site-to-site Tunnel

May 21, 2011

Remote-access users aren't able to reach our remote network through a site-to-site VPN tunnel between two ASA 5505's.
 
I've seen several threads about that here, I've run through the walkthrough at [URL] I've taken a stab at setting split tunnelling and nat exemption, but it seems I'm still missing something. Remote-access users can reach the main site, but not the remote site.
 
Remote-access (vpn-houston) uses 192.168.69.0/24.
The main site (houston) uses 10.0.0.0/24
The remote site (lugoff) uses 10.0.1.0/24

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved